I am working on a project where I've been requested to prove that a certain user deleted files from a Windows PC. The PC is running Vista. I took a forensic image of the machine and I am examining in FTK 6.4.

I have recovered ~4,000 files deleted from the machine, but only 637 of these were located in the $RECYCLE.BIN folder. The rest are marked as deleted but do not have an instance in the $RECYCLE.BIN. That being said, I can only confirm the user's SID for the 637 files located in the correlating SID folder within the $RECYCLE.BIN.

I have checked the metadata for a number of these ~3,000 files and they seem to have multiple NTFS Access Control Entries, at least 3 users per file all including the user I am looking for. 2 of these are the known DEFAULT Administrators and SYSTEM SIDs (S-1-5-32-544 and S-1-5-18) and the third is the main user.

Is this enough evidence to prove that the main user deleted the files, as he was the only 'real' user with access? Or can this only offer plausible evidence? I have found conflicting information online and am having trouble finding direct laws addressing this.

Is this enough evidence to prove that the main user deleted the files, as he was the only 'real' user with access?

How did you establish that? That is, that there was no second user at the time of deletion, who has since been removed?

It doesn't sound like it does prove anything.

Why are you looking at the files? They will only tell you if the Delete permission had been enabled for them. There's also the 'Delete Subfolders and Files permission to be taken into account. And, I think, also Modify for the directory that contains the relevant file. And perhaps also directory traversal permissions ...

Without diving deeply into my Windows sysadmin reference books, it seems that you really want to know: at the time of deletion, what users existed on the system? what groups did they belong to? and what permissions did those users or groups have on the relevant directories at that time. And ... if there was no explicit permission, was there any inherited permission (allow or deny)?

If list of users has changed since, or list of groups or group members have changed, or access right for the relevant directories (remember those inherited permissions) have changed since, you need other evidence than what the file system can tell you, as you don't have state at time of deletion. (Though there may be some way around that that I can't think of right now.)

Administrators are a minor nuisance, but they also need to be covered. An Admin (i.e. someone with Full Rights or Take Ownership Right and perhaps one or two more rights) can always take ownership of a file system object. And there are some scenarios involving users with the rights to give others ownership to their files that might need to be covered as well, especially if such users are no longer active on the system.

I don't touch on plausibility at all -- that's a matter of observation and statistics as far as I understand the term. Only on technical possibility.

I'm sure I've got something wrong -- this area of NTFS always made my head ache.

Last edited by athulin on Mon Dec 03, 2018 1:15 pm; edited 1 time in total

Why are you looking at the files? They will only tell you what rights users/groups had to perform read/write/etc. on the files themselves. Right to delete seems to have been added as such a special permission (?).

A file deletion is also a modification of the parent directory. You probably also need to check that: who had the right to modify the the *directory* that referenced the relevant MFT entry.

Without diving deeply into my Windows sysadmin reference books, it seems that you really want to know: at the time of deletion, what users existed on the system? what groups did they belong to? and what access rights did those users or groups have on the relevant directories at that time. And ... if there was no explicit permission, was there any inherited permission (allow or deny)?

If list of users has changed since, or list of groups or group members have changed, or access right for the relevant directories (remember those inherited permissions) have changed since, you need other evidence than what the file system can tell you, as you don't have state at time of deletion. (Though there may be some way around that that I can't think of right now.)

Administrators are a minor nuisance, but they also need to be covered. An Admin (i.e. someone with Full Rights or Take Ownership Right and perhaps one or two more rights) can always take ownership of a file system object. And there are some scenarios involving users with the rights to give others ownership to their files that might need to be covered as well, especially if such users are no longer active on the system.

Thank you for your response, athulin. I see that there is deeper analysis necessary here. Regarding time of deletion - checking the users/groups/rights on the system at a certain point in time, or over a date range. Can records such as these for certain time periods be found in the Registry, or is this more of a question for the machine's IT administrator?

I believe once I am able to determine the existing users in the decided time frame, and their access rights/permissions, I can narrow this down to the possibility that any of the users with access rights/permissions could have deleted the files. But to narrow this down further and prove that one certain user deleted the files is difficult (or impossible?) without having been there at the time of deletion. Am I on the right track?

Note - I have identified two main folders that all 'non-$RECYCLE.BIN' deleted files resided in. These two folders all contain NTFS Access Control Entries for the three users outlined above - SYSTEM, Administrators, and the main user. These users all have read/write/delete/change permissions/change ownership rights to these folders.

Administrators are a minor nuisance, but they also need to be covered.

A very interesting sentence (if taken out of context)

@jparsont03
Besides what athulin suggested, there is also another possibility (not to put you down in any way), the machine could (unless some particular preventing measures were taken) have been booted from another OS (think of a bootable CD/DVD or USB stick) like a PE or a Linux distro to perform the deletion (and BTW this would be as well compatible with a number of deleted files "outside" the Recycle Bin) .

For these deleted files outside the Recycle Bin, I doubt you can prove exactly when they were deleted [1] , so it would be difficult to know (let alone prove) which user was logged in at the time of the deletion.

jaclaz

[1] maybe you could establish some "not before than" and some "no later than" thresholds, but they would be probably very "loose"
_________________- In theory there is no difference between theory and practice, but in practice there is. -

Regarding time of deletion - checking the users/groups/rights on the system at a certain point in time, or over a date range. Can records such as these for certain time periods be found in the Registry, or is this more of a question for the machine's IT administrator?

Registry -- only if you have access to registry at the relevant time, for example by backup or shadow copy or such. Audit logs would be the normal place to look for traces, but I believe the relevant logging needs to be enabled first. (Obvious 'forensic readiness' issue.)

But to narrow this down further and prove that one certain user deleted the files is difficult (or impossible?) without having been there at the time of deletion.

'Prove' in the technical sense based on NTFS info alone. In the legal sense ... I leave that to experts on just what rules of evidence you operate under.

But you may have well-configured audit logs that show that only this user was logged in at the time. That would probably strengthen the case against that user. You may have something else of equal value. (For some jobs I used to find logs from the antivirus system saying exactly the time and the logged in user for various AV activities ... very useful info.)

Other weird ideas:
Batch jobs? Set up to go off at a particular time, and impersonating the suspected user? Technically possible ... but ...

Added: And with Vista you may still have last access time stamps enabled, which might be useful in some circumstances.

Last edited by athulin on Mon Dec 03, 2018 1:59 pm; edited 3 times in total

Administrators are a minor nuisance, but they also need to be covered.

A very interesting sentence (if taken out of context)

@jparsont03
Besides what athulin suggested, there is also another possibility (not to put you down in any way), the machine could (unless some particular preventing measures were taken) have been booted from another OS (think of a bootable CD/DVD or USB stick) like a PE or a Linux distro to perform the deletion (and BTW this would be as well compatible with a number of deleted files "outside" the Recycle Bin) .

For these deleted files outside the Recycle Bin, I doubt you can prove exactly when they were deleted [1] , so it would be difficult to know (let alone prove) which user was logged in at the time of the deletion.

jaclaz

[1] maybe you could establish some "not before than" and some "no later than" thresholds, but they would be probably very "loose"

I absolutely did not take any offense jaclaz! I really appreciate the information. As my username states, I am a relative 'newbie'. I did not even consider the notion that the user booted into the system with another OS to perform deletions.

If this were the case, this would be difficult to prove as well. I have a record of what removable devices were attached to the machine, but whether or not it was booted to another OS wouldn't be recorded anywhere that I'm able to access if I understand correctly. So, unless I'm able to make a breakthrough with athulin's suggestions, the only evidence that can be technically proven deleted by the user is that in his respective Recycle Bin. For the remaining files, I'll outline some of these possible scenarios making proof difficult in my report.

Regarding time of deletion - checking the users/groups/rights on the system at a certain point in time, or over a date range. Can records such as these for certain time periods be found in the Registry, or is this more of a question for the machine's IT administrator?

Registry -- only if you have access to registry at the relevant time, for example by backup or shadow copy or such. Audit logs would be the normal place to look for traces, but I believe the relevant logging needs to be enabled first. (Obvious 'forensic readiness' issue.)

But to narrow this down further and prove that one certain user deleted the files is difficult (or impossible?) without having been there at the time of deletion.

'Prove' in the technical sense based on NTFS info alone. In the legal sense ... I leave that to experts on just what rules of evidence you operate under.

But you may have well-configured audit logs that show that only this user was logged in at the time. That would probably strengthen the case against that user. You may have something else of equal value. (For some jobs I used to find logs from the antivirus system saying exactly the time and the logged in user for various AV activities ... very useful info.)

Other weird ideas:
Batch jobs? Set up to go off at a particular time, and impersonating the suspected user? Technically possible ... but ...

Added: And with Vista you may still have last access time stamps enabled, which might be useful in some circumstances.

Thanks again, athulin. This gives me a lot to contemplate and work with. Cheers.